Add Let's Encrypt HTTP Challenge #2701
Conversation
juliens
added
kind/enhancement
juliens
force-pushed
the
challenge-http
branch
from
46e264e
to
735d199
Compare
acme/acme.go
Outdated
| } | ||
|
|
||
| type DNSChallenge struct { | ||
| DNSProvider string `description:"Use a DNS based challenge provider rather than HTTPS."` |
acme/acme.go
Outdated
| } | ||
|
|
||
| type HTTPChallenge struct { | ||
| EntryPoint string `description: "HTTP EntryPoint for challenge to"` |
There was a problem hiding this comment.
HTTP EntryPoint for challenge to => HTTP challenge EntryPoint
acme/acme.go
Outdated
| router.Methods(http.MethodGet).Path(acme.HTTP01ChallengePath("{token}")).Handler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { | ||
| vars := mux.Vars(req) | ||
| if token, ok := vars["token"]; ok { | ||
| domain, _, _ := net.SplitHostPort(req.Host) |
acme/account.go
Outdated
| @@ -24,6 +24,7 @@ type Account struct { | |||
| PrivateKey []byte | |||
| DomainsCertificate DomainsCertificates | |||
| ChallengeCerts map[string]*ChallengeCert | |||
| HttpChallenge map[string]map[string][]byte | |||
There was a problem hiding this comment.
We really need to add an integration test to check that we support old acme.json.
acme/acme.go
Outdated
| @@ -155,7 +196,8 @@ func (a *ACME) CreateClusterConfig(leadership *cluster.Leadership, tlsConfig *tl | |||
| } | |||
|
|
|||
| a.store = datastore | |||
| a.challengeProvider = &challengeProvider{store: a.store} | |||
| a.challengeTLSProvider = &challengeTLSProvider{store: a.store} | |||
| a.challengeHTTPProvider = &challengeHTTPProvider{store: a.store} | |||
There was a problem hiding this comment.
I'm not in love with instantiating challengeTLSProvider & challengeHTTPProvider here.
acme/acme.go
Outdated
| if a.OnDemand { | ||
| log.Warn("ACME.OnDemand is deprecated") | ||
| } | ||
|
|
There was a problem hiding this comment.
I would use SetEffectiveConfiguration() to initialize the configuration correctly instead of init()
juliens
force-pushed
the
challenge-http
branch
from
735d199
to
f06f528
Compare
juliens
force-pushed
the
challenge-http
branch
2 times, most recently
from
3fe761c
to
0556b6b
Compare
|
Based on https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 I think you can change the default ... And a huge thanks for your reactivity to implement HTTP-01 |
ldez
force-pushed
the
challenge-http
branch
2 times, most recently
from
bcef1c8
to
23ce35e
Compare
docs/user-guide/examples.md
Outdated
| caServer = "http://172.18.0.1:4000/directory" | ||
| entryPoint = "https" | ||
| [acme.dsnChallenge] |
|
This fix does not work for me. I get is getting only the host without port and failing. So for now i'm stuck. I have no idea, why this is not working for me, but obviously works for others. My setup is quite basic: traefik on docker with no special thinks (i reduced the config mostly to the basic example). |
|
@markuslackner Could you go to the Traefik community Slack in the channel #support and give more information about your configuration. Edit: the problem is now fixed 🎉 |
ldez
force-pushed
the
challenge-http
branch
2 times, most recently
from
6319c3d
to
6d91f55
Compare
traefiker
force-pushed
the
challenge-http
branch
from
f490f10
to
ad2c638
Compare
|
The official unofficial image. |
|
I'm still getting the |
|
@kruemelro Remember to download a new image and clear the cache. [acme.httpChallenge]
entryPoint = "http"to config file ( |
|
The documentation http://v1-5.archive.docs.traefik.io/configuration/acme/#acmehttpchallenge Please don't use |
|
@ldez Currently it is the only way because Docker has not yet released a new version of the official image. |
|
I know but we don't recommend the use of this image. |
|
The official image is available: |
|
@ldez When I try run |
|
@HUg0005 I think some images are still under construction, you need to wait. |
|
Hi, I'm following this PR since the beginning. Thanks all for the efforts. Can I still use the redirection to https entrypoint enabled on the http entrypoint or it won't work properly with the HTTP-01 validation? If no, how can I redirect anything besides the validation to https entrypoint? Thanks. |
|
@xalexslx you can still use the redirection. |
|
Just rebuilt my container with traefik:1.5 and the new acme config: works like a charm. |
|
Hi, i am getting 400/timeout when enabling HTTP-01, is there anything else i am supposed to do beside enabling the challenge? |
|
@vrosales Can you come on the Traefik community Slack to give us more information about your configuration? |
|
Due to the number of question about redirection: The redirection is fully compatible with the HTTP-01 challenge. You can use redirection with HTTP-01 challenge without problem. Enjoy 🎉 |
What does this PR do?
Until now, Træfik only allowed
TLS-SNI-01andDNS-01challenges to generate/renew ACME certificates.This PR allows users to generate/renew ACME certificates thanks to the
HTTP-01challenge.Motivation
Due to a security vulnerability, Let's Encrypt disabled
TLS-SNI-01challenges.More information here and here.
Fixes #1832
More
Additional Notes
TLS-SNI-01stays the default challenge in Træfik. If this challenge becomes definitively disabled, it will be removed from Træfik in future versions.HTTP-01challenge requires anHTTPentry point which can be accessed through the port80by Let's Encrypt.acmeconfiguration has to evolve in Træfik, many fields will be deprecated by this PR.